LinuxQuestions.org - ssh without the password prompt

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - ssh without the password prompt (https://www.linuxquestions.org/questions/linux-networking-3/ssh-without-the-password-prompt-160902/)

ssh without the password prompt

Did a search but none of the many topics on this I found helped me.

Box A has sshd running.
Box B has ssh and is the one i'm trying to connect from.

On Box B I first ran ssh-keygen -t dsa
entered the password and it created the id_dsa & .pub files.

On Box A created a dir in /home/ called .ssh and copied the id_dsa.pub over and renamed it to authorized_keys

On Box B ran:
ssh 111.111.111.111
it prompted for pass, entered this and it added Box A to known hosts and connects fine.

When trying to setup the public key:

On Box B ran:
ssh-agent /bin/bash
ssh-add
*it then prompts for the passphrase which I enter (the password from above).
ssh-add -l
*shows that the key is there
ssh 111.111.111.111
* which prompts for password (which I believe it shouldn't)

Any ideas?

Cheers All

:confused:

Connecting thru ssh, it should and will always ask for the users password by default to login. It doesn't just read the keys and assume you are who you say you are.

Hi there.

Copy the public key to /home/whoever/.ssh2 on the box you want to connect to.

Edit a file in that directory called authorization and insert the following line...

Key id_dsa_1024_b.pub

That is assuming that the key you generated was id_dsa_1024_b.pub

Assuming you did this correctly you will then be able to connect from the box that you generated the key on without a password.

Hi markehb,

you are almost there: the only thing you have to do is leave the password empty when generating the keypair.

Hope it was of any help

Pollyanna

tried that, no joy :cry:

stupid newbie question in my sshd.conf I uncommented the line:
AuthorizedKeysFile ~/.ssh/authorized_keys

what does the ~ mean? is it like the root dir?

Try again, I use it to grab backups during the night.

Remove the key you generated, run ssh-keygen, do not use a password or a passphrase.

Copy the key over as I said before.

If you still have trouble I can send you a script that will automate it for you.

The ~ is the home directory

no joy again, deleted the pair. created a new one with no passphrase, copied the id_dsa.pub file into /home/mark/.ssh2/ (on the host)

created a file called authorization in the same dir and put in it:
Key id_dsa.pub

still prompts for password, not even the passphrase.

starting to bug me now :scratch:

What is the output of ssh -V and is it the same on both machines?

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
and is the same on both.

Ok. Sorry for the delay. Had to build a second machine for testing.

Anyway , I have it working.

Here is what I did....
Left the sshd_config file alone, no changes.

Ran ssh-keygen -t dsa, did not enter a passphrase.

Scp'd id_dsa.pub to my /home/me/.ssh/ directory on the test machine

Touched a file called authorized_keys

brad@test:~/.ssh$ cat id_dsa.pub > authorized_keys

brad@brad:~/.ssh$ ssh 10.10.1.234
Last login: Tue Mar 23 13:14:29 2004 from brad.caledoncard.ca
Linux 2.4.22.

You will be imprisoned for contributing
your time and skill to a bank robbery.

brad@test:~$

It works.

Sorry, should have asked your versions earlier.

on the remote I have a dir called ~/mark/.ssh/
which in it has the 2 pair files id_dsa and id_dsa.pub as well as known.hosts

on the host (running sshd) I have a dir called:
~/.ssh/ that has 600 permissions created by owned by user and group 'mark'

In which there is an exact copy of id_dsa.pub called authorized_kels but without the linebreak after it (cos apparently that causes probs). This is also set to 600 with and owned by user and group mark.

Can you put up your sshd_config, so I can make sure they're the same?

Then I'll delete everything and start again, without changing anything.

I also think I have a permissions prob cos even tho the user 'mark' is part of the root group it still doesn't have permissions to write to dir's etc created by root, which is why the authorized_keys etc is owned by mark and not root, whether thats right or not I dont know.

Cheers for your help btw :)

usually ssh behaves somehow like rsh.
Did you create an .rhosts or .shosts file in $HOME for user specific settings?
Did you checked the /etc/hosts.equiv, hosts.allow, hosts.deny files for system wide settings?
Usually a ~/.shosts file containing the host name or IP of the remote part should be enough to omit the input of the password.

Erik

no, the .rhosts .shosts bit, what I need to do?

yes, to the hosts.equiv/allow/deny

try creating a .shost file containing just the IP adress or the hostname of the remote host you want to log in without pwd as the only entry per line.
On host A:
~/.shosts: with the content

hostname_of_host_B

On host B:
~/.shosts

hostname_of_host_A

If the names can not be resolved, use IP adresses.

There should also be soomething in the man pages of ssh...

good luck ;)
Erik

Hi.

On the machine that you want to log into without a password you should have the public key that was generated by running ssh-keygen on the machine that you want to connect from.
The private key stays on the machine that you are connecting from.
The ~/mark/.ssh directory should have 700 permissions, owner mark, group users
The id_dsa.pub should be called just that, the id_dsa private key has to know what to look for.

Cat the key (id_dsa.pub) to an empty authorized_keys file

Here is my sshd_config

# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

Good luck, take it step by step and it will work.

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

done it! 4 days of frustration and surfing the net overwith.

Thanks Mako your a star, thanks everyone who helped :)

w00t!

:newbie:

Congratulations !

Have fun.

spoke to soon, tried to rsync using ssh works fine without prompt, then tried doing it in a cron job and gets permission denied.

So I removed .shost (which I think it doesn't need to do it this way) and just gets the password prompt again.

The cron job...are you using scp?

If so, plug in the full path.

And, do you mean that you can now no longer connect via ssh without a password prompt?

not using scp doing:

rsync -ave ssh mark@111.111.111.111/var/www/html/ /var/www/html/

and yes after removing .shosts it now prompts for a password again.

Ok, I just tested it and it works.

used the command....
rsync -av --rsh="ssh -i .ssh/id_rsa" brad@10.10.1.234:/home/brad/ /home/brad/

Here is the output....

brad@brad:~$ rsync -av --rsh="ssh -i .ssh/id_rsa" brad@10.10.1.234:/home/brad/ /home/brad/
Warning: Identity file .ssh/id_rsa does not exist.
receiving file list ... done
wrote 16 bytes read 274 bytes 580.00 bytes/sec
total size is 5734 speedup is 19.77
brad@brad:~$

Did you make any directory permission changes or anything like that?

you haven't got .shosts have you? i'll try forcing it to use the key, though on yours it didn't find it?

permissions are 755 on the .ssh dir on the host 600 on authorized_keys.
and 600 on the private key file on the remote.

It whined but did what it was supposed to.

Check this out...

http://lists.samba.org/archive/rsync...er/007404.html

Grrr......

That should be /rsync/2003-October/ in the middle of that url....

s'ok, the link worked fine :), the board just truncated the middle to make it shorter. reading it now

nope, still not working, gonna ping it out the window in a min